Insider Theft: the Real Cyber Threat?

Wall Street Journal

Companies have obsessed lately about the danger posed by foreign hackers but the biggest threat may come from their own employees.

Fear of foreign cyber intrusions peaked following a report by computer security firm Mandiant that a unit of China’s People’s Liberation Army was engaging in cyberwarfare against U.S. corporations and government agencies. Dailyheadlines told corporate America that Chinese hackers were targeting their systems. (The Chinese government has denied the allegations.)

Although all of that may be true, according to Mike Dubose, the head of Kroll Advisory Solution’s cyber investigations practice, the coverage missed the bigger picture.

“Foreign hacking has grabbed all the headlines,” Dubose said. “But more than two-thirds of all cyber cases involve company insiders, not outside hackers. And, that figure is probably under-reported because many internal breaches are not made public.”

Dubose isn’t alone in this assessment. A survey last year by security firm AlgoSec found that security managers are more worried about low-level insiders than sophisticated foreign hackers. At a recent conference, Federal Bureau of Investigation Chief Information Security Officer Patrick Reidy said that companies with strong protections against inside threats will be around in 10 years, and those without them will not.

Take the case of Hanjuan Jin, for example. Jin was a software engineer at Motorola from 1998 until 2007. But she accepted a job from a Chinese competitor in 2006 while on medical leave. Upon her return to Motorola, she downloaded proprietary technical documents from the company’s secure internal network and then gave notice. She was arrested at Chicago’s O’Hare Airport with more than 1,000 Motorola documents and a one-way ticket to China. Jin was sentenced to four years in prison in August.

Dubose, who previously served as chief of the Justice Department’s Computer Crime and Intellectual Property Section, said that companies are not particularly good at monitoring their own systems, leaving them open to internal theft. The average time between an internal breach and its discovery is 32 months, he said.

According to Dubose, companies need to start profiling high-risk employees by monitoring their adherence to internal IT security policies and other company guidelines. Unreported foreign trips and attempts to access classified information not related to an employee’s work duties should also raise red flags, he said.

On a broader level, Dubose said companies need to become more sophisticated about monitoring their networks for unusual and suspicious user patterns. He said they should institute centralized, system-wide logs of data access and transference that are easily accessible once a breach has been discovered.

Finally, if an internal breach is detected, companies need to crack the whip.

“The impact of a successful investigation and ultimate punishment can have a bigger deterrent effect than anything else,” Dubose said.

Write to Christopher M. Matthews at Christopher.Matthews@dowjones.com, and follow him on Twitter @cmatthews9

Comments (1 of 1)

The question is, "is most of the 'insider theft' perpetrated by foreign-national insiders?" And are those foreign "insiders" working at the behest or benefit of foreign government interests? It doesn't seem to be very helpful to be vague about this.

Many executives express concerns about their existing cyber incident response plans, despite a number of high-profile breaches. The uncertainty surrounding cyber incident response presents an opportunity to educate the executive team on cyber resilience, the coordinated set of enterprisewide activities designed to help organizations respond to, and recover from, a variety of cyber incidents, while reducing their impact to business operations, cost and brand damage.

Search for Risk & Compliance Report Articles

About Risk & Compliance

Risk & Compliance provides news and commentary to corporate executives and others who need to understand, monitor and control the many risks that can tarnish brands, distract management and harm investors. Its content spans governance, risk and compliance and includes analysis of the significance of laws and regulations, the risks inherent in global expansion and the protective moves taken by companies.